Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
ENG
ENG
%402x.svg){kind=icon}
A week with a story close to home: the official website of Spain's Ministry of Culture compromised to distribute World Cup malware. Also: two corporate security tools with unresolved zero-days, a critical network manager under attack for the second time in two weeks, and Microsoft Defender with a public exploit and no patch available. The summary you need before the weekend.
🔴 Spain's Ministry of Culture website hacked: cybercriminals use cultura.gob.es to distribute World Cup malware via Google News
The official domain of Spain's Ministry of Culture was compromised and used to publish fraudulent pages promising free World Cup 2026 streaming. Google News indexed the content as if it were official Government information, with titles like "watch Ecuador vs Ivory Coast free" appearing directly in the aggregator. The technique is SEO spam injection: compromising a high-authority domain (.gob.es) so that Google distributes it automatically. The impact is greater than the fake FIFA websites we analysed three weeks ago because users' trust in an official State domain is maximum. Any employee who clicks from a corporate device can compromise credentials and systems.
→ What you should do: Communicate to all employees that Google News does not guarantee the safety of the content it links to. No official Government website offers World Cup streaming. Review corporate browsing filters to block detected redirect domains. Full analysis →
🔴 Splunk Enterprise CVE-2026-20253 (CVSS 9.8): unauthenticated RCE in the SIEM monitoring your entire infrastructure
The Splunk Enterprise PostgreSQL Sidecar service has no authentication controls on its HTTP endpoints, allowing any network-reachable user to create or overwrite arbitrary files and escalate to root. Affects versions 10.0.0-10.0.6 (fixed in 10.0.7) and 10.2.0-10.2.3 (fixed in 10.2.4). Splunk Cloud is not affected. The severity is not only technical: compromising the SIEM means compromising the defensive visibility of the entire organisation, the logs of all systems, and the integration credentials with AWS, Azure, Active Directory and all monitored systems.
→ What you should do: Update Splunk Enterprise to 10.0.7+ or 10.2.4+. If not possible today, disable the PostgreSQL Sidecar Service. Review access logs for /v1/postgres/recovery/* endpoints since 10 June. Full analysis →
🔴 Cisco CVE-2026-20262: the sixth exploited CVE in SD-WAN Manager in four months, and the second zero-day in two weeks
Cisco confirmed active exploitation of CVE-2026-20262, an arbitrary file write flaw in the Catalyst SD-WAN Manager web UI allowing an attacker with write credentials to escalate to root via malicious .war and .jsp files. It is the sixth exploited CVE on the same platform since February 2026. CISA added it to the KEV with a deadline of 29 June. The criticality lies in the fact that SD-WAN Manager manages up to 6,000 WAN devices from a single panel: compromising the manager is equivalent to compromising the entire network infrastructure of the organisation.
→ What you should do: Apply Cisco's patch published 15-16 June. Review vmanage-server and vmanage-appserver logs for index.jsp or .war file uploads since 1 June. Audit write-access accounts and enable MFA. Full analysis →
🔴 RoguePlanet CVE-2026-50656: unpatched Microsoft Defender zero-day granting SYSTEM privileges on any fully updated Windows 10 and 11
Microsoft confirmed on 17 June it is developing a patch for CVE-2026-50656, a TOCTOU race condition in the Microsoft Malware Protection Engine allowing a low-privilege local attacker to obtain a SYSTEM shell on Windows 10 and 11 with the June Patch Tuesday installed. The PoC is public. No patch available. The direct precedent is concerning: the three previous zero-days from the same researcher (Nightmare Eclipse) were already exploited in real attacks. The only technically effective mitigation while no patch exists is WDAC in enforced mode.
→ What you should do: Enable WDAC in enforced mode if not already configured. Enable Cloud-Delivered Protection in Defender. Configure alerts for cmd.exe or powershell.exe with parent process MsMpEng.exe, which is the signal of successful exploitation. Apply the patch when Microsoft releases it. Full analysis →
Every Friday we break down the news that really matters for your organisation's security. If you want to know how exposed your business is to any of these threats, we're one click away.
